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Abstract 

We consider the problem of testing the commutativity of a black-box group specified by its k generators. The 
complexity (in terms of fc) of this problem was first considered by Pak, who gave a randomized algorithm involv- 
ing 0{k) group operations. We construct a quite optimal quantum algorithm for this problem whose complexity is 
in 0(fc 2 / 3 ). The algorithm uses and highlights the power of the quantization method of Szegedy. For the lower bound 
of f2(fc 2 / 3 ), we give a reduction from a special case of Element Distinctness to our problem. Along the way, we prove 
the optimality of the algorithm of Pak for the randomized model. 

1 Introduction 

A direction of research in quantum computation pioneered by Grover [Gro96 1 around search problems in unstructured, 
structured, or partially structured databases has recently been infused with new ideas for algorithm design. In contrast 
to problems based on the Hidden Subgroup Problem (HSP) (see for instance Ref. [Mos99 |), the speed up for these 
search problems is often only polynomial. 

Usually in search problems, the access to the input is done via an oracle. This leads to the notion of query 
complexity which measures the number of accesses to the oracle. While no significant lower bounds are known 
for quantum time complexity, the oracle constraint sometimes enables us to prove such bounds in the query model. 
For promise problems quantum query complexity indeed can be exponentially smaller than the randomized one. A 
prominent example is HSP. On the other hand, for total functions, deterministic and quantum query complexities are 
polynomially related llBBC+Oll . 

In HSP, the group with its all structure is known to the algorithm designer, and the group operations are generally 
efficiently computable. In the event that the group is not explicitly known, or the group operations are not efficient 
to implement, it is appropriate to model the group operations by an oracle or a black-box. The notion of black-box 
groups was introduced by Babai and Szemeredi [BS84|. In this model, the elements of a group are encoded by words 
over a finite alphabet, and the group operations are performed by an oracle (the black-box). The groups are assumed to 
be specified by generators, and the encoding of group elements is not necessarily unique: different strings may encode 
the same group element. Mosca |Mos99| showed that one can learn in quantum polynomial time the structure of any 
black-box abelian group. Such a task is known to be hard classically. Then Watrous [WatOl | pioneered the study of 
black-box group properties in the quantum context. 
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In this context, we study the problem of testing the commutativity of a black-box group (GROUP COMMUTA- 
TIVITY) given by its generators. The classical complexity of this problem was first considered by Pak |PakOO|. The 
straightforward algorithm for the problem has complexity 0(k 2 ), where k is the number of generators, since it suffices 
to check if every pair of generators commute. Pak presented a surprising randomized algorithm whose complexity is 
linear in k, and also showed that the deterministic lower bound is quadratic. The linear upper bound on complexity 
may also be obtained by applying quantum search [Gro96| to locate a pair of generators that do not commute. Using 
the quantization of random walks by Szegedy [Sze04 |, we instead present a sublinear algorithm with time and query 
complexity in 0(k 2 ^ 3 ) (Theorem[3]l, where the O notation means that logarithmic multiplicative factors are omitted. 

Group Commutativity bears a deceptive resemblance to Element Distinctness. The aim in the former is 
to detect the presence of a pair of generators which collide in the sense that they do not commute. However, since the 
group structure is unknown, whether or not a pair of generators collide can only be determined by invoking the group 
oracle. Moreover, the group oracle provides access to elements from the entire group spanned by the given generators, 
which may be used towards establishing commutativity. These differences necessitate the use of ideas from Pak's 
algorithm, the theory of rapidly mixing Markov chains, and perhaps most remarkably, the Szegedy quantization of 
walks. 

Group Commutativity appears to be the first natural problem for which the approach of Szegedy has no 
equivalent using other known techniques for constructing quantum algorithms, such as Grover search [Gro96[, or 
the type of quantum walk introduced by Ambainis [Amb04|. Conversely, for Triangle Finding, the approach of 
Ambainis was more successfully applied. For this problem, Magniez, Szegedy and Santha |MSS05| construct a 
quantum algorithm that uses recursively two quantum walks a la Ref. |Amb04|, while the Szegedy quantization of 
walks seems to give a less query-efficient algorithm. The problems of GROUP COMMUTATIVITY and TRIANGLE 
FINDING thus give strong evidence that the walks due to Ambainis are not comparable with the ones due to Szegedy. 

A recent result of Buhrman and Spalek [Bv06| on matrix product verification also relies on the Szegedy quanti- 
zation for its worst case time complexity. However, for the worst case instances, when there is at most one erroneous 
entry, the approach of Ambainis gives an algorithm whose query complexity is the same as that due to Szegedy. 

We also prove that our algorithm is almost optimal by giving an f2(/c 2 / 3 ) lower bound for the quantum query com- 
plexity of Group Commutativity (Theorem©. Simultaneously, we give an fl(k) lower bound for its randomized 
query complexity (Theorem [4]). This lower bound shows that the algorithm of Pak |PakOO] is optimal, and to our 
knowledge is new. We prove the lower bounds using a reduction from the problem of detecting a unique collision pair 
of a function, which is a special case of ELEMENT DISTINCTNESS. 

2 Preliminaries 

2.1 Black-box groups 

We suppose that the elements of the group G are encoded by binary strings of length n for some fixed integer n, 
which we call the encoding length. The groups are given by generators, and therefore the input size of a group is the 
product of the encoding length and the number of generators. For simplicity, we also assume that the identity element 
of the group is given. Note that the encoding of group elements need not be unique, i.e., a single group element may 
be represented by several strings. If the encoding is not unique, one also needs an oracle for identity tests. Unless 
otherwise specified, we assume that the encoding is unique in this paper. All of our results apply when the encoding 
is not unique if one is given an oracle for identity tests. 

Since we deal with black-box groups we shall shortly describe them in the framework of quantum computing 
(see also Refs. |Mos99| or |Wat01|). For a general introduction to quantum computing the reader might consult 
Refs. |NC00, KSV02]. We work in the quantum circuit model. For a group G of encoding length n, the black-box 
is given by two oracles Og and its inverse Oq 1 , both operating on 2n qubits. For any group elements g,h € G, the 
effect of the oracles is the following: Oc\g)\h) = \g)\gh) and O^lg^h) = \g)\g~ 1 h). In this notation we 
implicitly use the encoding of a group element. We do that everywhere in the paper when there is no ambiguity. Not 
every binary string of length n necessarily corresponds to a group element. In this case the behaviour of the black-box 
can be arbitrary. 
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2.2 Query model 

The quantum query model was explicitly introduced by Beals, Buhrman, Cleve, Mosca, and de Wolf |BBC + Qll . In 
this model, as in its classical counterpart, we pay for accessing the oracle, but unlike the classical case, the machine 
can use the power of quantum parallelism to make queries in superposition. 

The state of the computation is represented by three registers, the query register g, the answer register h, and the 
work register z. The computation takes place in the vector space spanned by all basis states \g, h, z). In the quantum 
model the state of the computation is a complex combination of all basis states which has unit length in the £2 norm. 

For a black-box group the query operator is Oq together with its inverse Oq 1 . For oracle function F : X — > Y 
the query operator is Op : \g)\h) 1— > \g)\h © F(g)), where denotes the bitwise xor operation. 

Non-query operations are independent of the oracle. A k-query algorithm is a sequence of (k + 1) operations 
(Uo, Ui, . . . , Uk) where each Ui is unitary. Initially the state of the computation is set to some fixed value |0, 0, 0). 
In case of an oracle function, the sequence of operations Uq, Of, Ui, Of, ■ ■ ■ , Uk-i, Of, Uk is applied. For black- 
box groups, the modified sequence of operations Uq, Oq , U\, Oq , . . . , Uk-i, O h Q , Uk is applied, where hi 6 {±1}- 
Finally, one or more qubits designated as output bits are measured to get the outcome of the computation. The 
quantum algorithms we consider have a probabilistic outcome, and they might give an erroneous answer with non- 
zero probability. However, the probability of making an error is bounded by some fixed constant 7 < 1/2. 

In the query model of computation each query adds one to the query complexity of an algorithm, but all other 
computations are free. The time complexity of the algorithm is usually measured in terms of the total circuit size for 
the unitary operations Ui . We however take a more coarse-grained view of time complexity, and assume that operations 
such as accessing qubits containing group encodings or updating them, take unit time. 

2.3 Quantum walks 

We state a simple version of the recent result of Szegedy |Sze04|. Let P be an irreducible (i.e., strongly connected), 
aperiodic (i.e., non-bipartite), and symmetric Markov chain on a graph G — (V,E) on N vertices. Such a walk is 
necessarily ergodic, i.e., converges to a unique stationary distribution regardless of the initial state. 

Let P[u, v] denote the transition probability from u to v. Let M be a set of marked nodes of V. Assume, one 
is given a database D that associates some data D(v) to every node v G V. From D(v) we would like to determine 
if v € M. We expedite this search using a quantum procedure $. When operating with D three types of cost are 
incurred. The cost might denote any measure of complexity such as query or time complexities. 
Setup cost S: The cost to set up D(v) for atieF. 

Update cost U: The cost to update D(v) for a v £ V, i.e., moving from D(v) to D(v'), where the transition from v 
to v' is allowed by the Markov chain P. 

Checking cost C: For v £ V, the complexity of checking if v S M from D(v). 

Concerning the quantization of the walk P, one needs to consider the quantum time complexity of its implemen- 
tation in terms of the following parameters: 

Initialization time I: The time complexity for constructing the superposition 

-7=^2\/P[u,v\\u,v). 

Transition time T: The time complexity of realizing the transformation 

\u,v) I ► 2y/P[u, v] ^ \J P[u, v'} \u, V 1 ) — \u,v). 

v' 

The Markov chains we construct in this paper are all random walks on regular graphs. For every node u, the proba- 
bilities P[u, v] are all equal to 1/d or 0, where d is the degree of each node in the graph. The unitary transformation 
defined above, restricted to the node u in the first register, then corresponds to the Grover diffusion operator MGro96l 
on the neighbours of u. The diffusion operator is the unitary matrix § J — I. 

In the following theorem, which is the main result of Ref. [Sze04|, the notation O(-) denotes the existence of a 
universal constant so that the expression is an upper bound. 
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Theorem 1 (Szegedy BSze04l ). Let 8 be the eigenvalue gap of P, and let y^j > e > whenever M is non-empty. 

There exists a quantum algorithm that determines if M is non-empty with cost S+0((U + C)/ \/~8e), and an additional 
time complexity of\ + 0(T/y/Se). 

Note that in this theorem, when the cost denotes the time complexity, we need to add the additional time complexity 
term to it. 

Szegedy's theorem thus gives us a recipe for constructing and characterizing the behaviour of a quantum walk 
algorithm by specifying a classical random walk, and analysing its spectral gap and stationary distribution. 



2.4 Spectral gap of Markov chains 

The spectral gap (or eigenvalue gap) of a Markov chain (with non-negative eigenvalues) is the difference between the 
largest and the second largest eigenvalue of the probability transition matrix that represents it. Estimating this quantity 
directly from a description of the matrix is often very difficult. We take an indirect route to estimating this quantity by 
appealing to its relation with the convergence properties of the Markov chain. 

Consider an ergodic Markov chain on state space X with stationary distribution tt. Let P* be the probability 
distribution on X obtained by performing t steps of the Markov chain starting at x. Let A(t) be the maximum over all 
starting states x £ X of the total variation distance \\P* — ir\\. Then the mixing time r of the Markov chain is defined 
as the smallest t such that A(t') < ^ for all t' > t. 

A coupling for a Markov chain is a stochastic process on pairs of states (Ut, Vt) such that XJ t and Vt, viewed 
marginally, each evolve according to the Markov chain, and if U t = Vt, then Ut+i = Vt+i- The coupling time T is 
the maximum expected time (over all pairs of initial states (u, v)) for the states Ut, Vt to coincide: 

T = maxE[argmin t {[/ t = Vt, Uo = u, Vq = v}]. 

u,v 

We use the following facts about the mixing of Markov chains: 

1. BSin93l Proposition 2.2, Chapter 2] For walks with only non-negative eigenvalues, A* < A(t) ■ (min u 7r(ti)) -1 , 
where A is the second largest eigenvalue. This bounds the second largest eigenvalue in terms of the total variation 
distance. 

2. (see e.g., Ref. jAld82|) A(£) < 2 exp(— |_-J)- This relates the total variation distance at any time t to the 
mixing time r. 

3. jGri78 | r < 2eT. This bounds the mixing time r in terms of the coupling time T, 

Combining all three relations, we may deduce the following relationship between the spectral gap of a Markov 
chain and coupling time. 

Corollary 1. For any ergodic Markov chain with only non-negative eigenvalues, the spectral gap 1 — A > ■^Kp, 
where A is the second largest eigenvalue, and T is the coupling time for any valid coupling defined on X x X. 

Proof. Chaining all three facts listed above, taking t-th roots, and letting t — > oo, we see that 

which is equivalent to the claim. □ 
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2.5 The problems 

Here we define the problems we are dealing with. The focus of the paper is on 
Group Commutativity 

Oracle: Group operations Oq and Oq 1 for an encoding in {0, 1}™ 
Input: The value of n and the encoding of generators g±, . . . , g). of G 

Output: Yes if G is commutative, and No otherwise (if there are two indices i, j such that g^j ^ <?jft) 
The next problem is a special instance of a well-studied problem, ELEMENT DISTINCTNESS. 
Unique Collision 

Oracle: A function F from {1, . . . , k} to {1, . . . , k} 
Input: The value of k 

Output: Yes if there exists a unique collision pair x ^ y E {1, . . . , A;} such that F(x) — F(y), and No if 
the function is a permutation 

This is a promise problem (or a relation) since we do not require a definite output for certain valid oracle functions. 
We also use a further specialization of the problem when k is even, Unique Split Collision, where, in the Yes 
instances, one element of the colliding pair has to come from {1, . . . , k/2} and the other from {fc/2 + 1, . . . , k}. We 
call this a split collision. Note that in the positive instances of this problem, the restriction of the function to the two 
intervals {1, . . . , k/2} and {fc/2 + 1, . . . , k} is injective. 

A beautiful application of the polynomial method gives us the optimal query complexity of Unique Collision. 

Theorem 2 ([AS04l lKut05IIAmb05l ). The quantum query complexity of UNIQUE COLLISION is fi(fc 2 / 3 ). 

The original results of the works cited above refer to the more general problem Element DISTINCTNESS, which 
requires the detection of one or more colliding pairs. This was proven by a randomized reduction from the problem 
COLLISION which distinguishes between a bijection and a two-to-one function. However, the reduction is still valid 
for the special case we consider. The reason is that the randomized reduction from COLLISION results in instances of 
Unique Collision with constant probability. 

3 A quantum algorithm for GROUP COMMUTATIVITY 

We are given a black-box group G with generators g\, ... , g^. The problem is to decide if G is abelian. For technical 
reasons (see the proof of Lemma[TJ, and without loss of generality, we assume that g\ is the identity element. 

We denote by Si the set of all /-tuples of distinct elements of {1, . . . , fc}. For any u = (ui, . . . ,ui) E Si, we 
denote by g u the group element g Ul . . . g U[ . Not all group elements are generated by such products of / generators. 
However, the subset of group elements we get this way has properties analogous to the entire group (see Lemma [2] 
below). 

Our algorithm is based on the quantization of a random walk on Si x Si — Sf. We adapt an approach due to Pak, 
for which we generalize Lemma 1.3 of Ref. [Pak00| to random elements from Si. Then we show how to walk on Sf 
for finding a non-commutative element in G, if there is any. We conclude using TheoremQ] 

In this section, we let p = HLj^+fedK^zli^) _ Observe that when fc = 21, then p — ^j^j < |. Moreover, when 
I = o(k), then 1 - p = B{l/k). 

Lemma 1. Let K ^ G be a subgroup of G. Then Pr„ e s ( [g u £ K] > — i 2 - 

Proof. First we fix a total order (equivalently, a permutation) a of {1, ... , fc}, and we denote by Sf that subset of 
/-tuples in Si which respect the total order a. In other words, u — (ui, . . . , Ui) E Sf iff <r _1 (iti) < cr _1 (ui+i) for 
all 1 < i < I. 

All the sets Sf have the same size (™). Any tuple u of distinct elements respects exactly n\/l\ permutations a, 
and therefore occurs in exactly the same number of sets Sf. Thus picking a uniformly random element from Si is the 
same as first picking a uniformly random permutation a, and then picking a random element u E Sf. Consequently, 
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it is enough to prove the theorem for any fixed order a. The reader may find it helpful to take a to be the identity 
permutation to understand the idea behind the proof. 

Let i be the smallest index for which g^u) K. Such an i exists since K ^ G. Recall that g\ is the identity 
element. 

Fix an ordered Z-tuple u such that a(i) e" u and leu. We denote by v the ordered Z-tuple where 1 has been 
deleted from u, and a(i) has been inserted into it at the appropriate position (that respects the total order). Formally, 
if u = (ui, . . . , u m , u m+ i, . . . ,ui) such that CT _1 (u m ) < i < <r~ 1 (u m +i), then v is obtained by deleting 1 from 
the (I + l)-tuple (ui, . . . , u m , a(i),u m +i, . . . , ui). This mapping defines a bijection (a perfect matching) between 
tuples u such that a(i) g" u and leu, and tuples v such that e v and 1 g" v. Below we show that for every 
matched pair of tuples u, v, at least one of the group elements g u , g v is not in K. 

Consider a matched pair u, v as above. Let a = g Ul gu 2 ' ' 1 9u m , and b = g Um+1 ■ • • 9m- Then g u = ab and g v = 
ag<r(i)b- Note that because of the choice of i, the group element a e K. If g u = ab e K, then b = a~ 1 g u E K as 
well. This means that g v = ag a ^)b g" K, since otherwise, we would have g a u) — a~ 1 g v b~ 1 e K. Thus, both g u 
and g v cannot be in K . Therefore 



Pr [g u e K\a(i) e u xor 1 e u] < -. 



Since for any two indices i, j, 



Pr [i,j e u or i,j 



l(l-l) + (k-l)(k-l-l) 



we conclude that 



uasf 1 r fc(yfc - 1) 



Pr^eir] < (i-p)x|+ P xi, 

ueSf 



which is at most (1 + p)/2. □ 

From Lemma [T] we can generalize Lemma 1.1 of Ref. [PakOO]. For this, we recall the notions of the centre of a 
group, and the centralizer of a group element. The centralizer C(g) of a group element g e G is the set of all group 
elements h that commute with g. This is a subgroup of G. The centre C(G) of the group is the intersection of the 
centralizers of all groups elements. This is also a subgroup of G, and by definition, the elements of this subgroup 
commute with every element of the group G. 

Lemma 2. If G is non-commutative then Pr ul)g 5 i [g u g v ^ g v 9u] > — 

Proof. If G is non-commutative, then the centre C(G) of G is a proper subgroup. With probability at least (1 — p)/2, 
g u does not belong to C(G) for a random u e Si (LemmaQ]). We condition upon this event. Since g u e" C(G), there 
is at least one element of G that does not commute with it. So the centralizer of g u is also a proper subgroup of G. 
Again, by Lemma [1] the probability that for a random v e Si, g v does not belong to the centralizer of g u is also at 
least (1 -p)/2. □ 

For u e Si, let t u be the balanced binary tree with I leaves, whose leaves are from left to right the elements g Ui , 
for i = 1, . . . , I, and such that each internal node is the group product of its two successors. If I is not a power of 2, 
we put the deepest leaves to the left. 

The random walk on Sf that forms the basis of our quantum algorithm consists of two independent simultaneous 
walks on Si. For a pair (u, v) of ^-tuples, we maintain the binary trees t u , t v as described above as the data. 

The random walk on Si 

Suppose the current state is u e Si. 

With probability 1/2 stay at u; with probability 1/2, do the following: 

- Pick a uniformly random position i e {1, . . . , I}, and a uniformly random index j e {1, . . . , k}. 
-If j = u m for some m, then exchange Ui and u m , else, set it.; = j. 

- Update the tree t u (using O(logZ) group operations). This involves "uncomputing" all the products 
from the root to the leaf that is being updated, and then computing fresh products from the leaf to the root 
of the tree. 
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Lemma 3. The spectral gap of the walk described above is at least , , c , , for a universal constant c > i-, provided I < 



Proof. First, we show that the random walk mixes rapidly using a "coupling argument". Then, using a relation between 
mixing time and the second largest eigenvalue, we get a bound on the spectral gap. 

Note that the walk is ergodic and has the uniform distribution on Si as its stationary distribution it. Thus n(u) = 

(k-iy. e „ 
v ■ I for all u. 

The eigenvalues of any stochastic matrix P, such as the transition matrix of a Markov chain, all lie in the inter- 
val [—1,1]. Suppose we modify the chain by including self-loops at every state, i.e., remaining at the current state 
with probability 1/2, and following the transition of the chain with probability 1/2. Then the transition matrix be- 
comes (I + P)/2, where I is the identity matrix. The eigenvalues of this matrix lie in the interval [0, 1]. Because of 
such self-loops, all the eigenvalues of our walk above on Si are non-negative. 

In order to find a lower bound for the spectral gap of our random walk on Sj, we use Corollary Q] A coupling for 
which T < I log I is the obvious one: for any pair u, v £ Sj, follow one step of the random walk with the same choice 
of random position i and index j. This is clearly a valid coupling, since the marginal process on any one of the two 
tuples is the same as our walk, and if the two tuples are identical, they are modified identically by the walk. 

Let d be the Hamming distance between the two tuples u, v. This distance never increases during the coupling 
process described above. Moreover, in one step of the process, the distance goes down by 1 with probability at 
least 4;. This is because with probability d/l, the position i is one where u and v are different, and with probability at 
least (k—l)/k, the index j is not one from the positions where u and v are the same. Since I < k/2, the net probability 
that the distance decreases by 1 is at least d/2l. 

By a straightforward calculation, the expected time T for the distance to go to zero is at most 21 log I (since d < I). 
Using the relation between A and T derived in CorollaryQ] we get our bound on the spectral gap. □ 

Theorem 3. There is a quantum algorithm that solves GROUP COMMUTATIVITY with 0(fc 2 / 3 log k) queries and time 
complexity 0(k 2 ^ 3 log 2 k). 

Proof. Our algorithm derived from an application of Theorem Q] to the product of two independent walks on Si. The 
database associated with a tuple u S Si is the binary tree t u . Due to the Szegedy Theorem, we need only compute the 
eigenvalue gap S of the random walk and the fraction of marked states e in the uniform distribution on Sf. 

The stationary distribution for the walk is the uniform distribution on SixSi. So, from Lemma[2]above, the fraction 
of marked states e is at least (1 — j») 2 /4. The spectral gap 5 for the walk is the same as that on Si, i.e., S > c/(l log I), 
from Lemma [3] 

We start with a uniform distribution over \u, t u ) |u, t v ), where u, v <E Si. The setup cost is at most 2(1 — 1) and the 
updating cost of the walk is 0(log I). We choose I = o(k) so that l—p= Q(l/k). By TheoremQ] the total query cost 
is 



This expression is minimized when I = fc 2 / 3 log k, and the cost is 0(fc 2 / 3 log k). 

The time complexity overhead comes from the initialization and transition times that are both essentially equal 
to the time complexity of performing a Grover diffusion operation (see Section l2~3l l. For the initialization, we use a 
diffusion over Sf, whose time complexity is 0(log(|Sj | 2 )) = 0(1 logfc). For the transition, we use a diffusion over 
a set of size 2 tensor product with a diffusion over a set of size kl, therefore the corresponding time complexity is 



k/2. 




0(\og(kl)) = 0(\ogk). 



□ 
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4 Reduction from Unique Split Collision 



We begin our presentation of the lower bound by considering the complexity of Unique Split Collision. This 
problem is at least as hard as UNIQUE COLLISION in its query complexity since any bounded-error algorithm for the 
former can be used to detect an arbitrary collision. 

Proposition 1. The randomized and the quantum query complexity of UNIQUE SPLIT COLLISION is respectively 
n(k)andn(k 2 / 3 ). 

Proof. One can prove the Q(k) lower bound for classical query complexity by an adversary argument. 

For the quantum case, we reduce Unique Collision to Unique Split Collision by composing the oracle 
function with a random permutation. Then Theorem|2] (due to Aaronson and Shi | AS04 1 and Kutin [ Kut05 1 , together 
with Ambainis |Amb05|) implies the lower bound. 

Assume that we have an algorithm A for Unique Split Collision with constant bounded error 7 < 1/4. We 
run A on oracle F composed with a random permutation on the domain. If there is a collision in the function F, 
with probability at least 1/2, the colliding pair will have one point on either side of k/2. This will be detected with 
probability at least 1 — 7. The overall success probability will be (1 — j)/2 > 3/8. If there is no collision, the 
algorithm will make an error with probability at most 7 < 1/4. Using standard techniques, this gap in acceptance 
probability can be made symmetric around 1/2 and boosted by repeating the experiment with an independent run of 
the algorithm A on F composed with a fresh random permutation. For completeness, we include the argument below. 

Our final algorithm for UNIQUE COLLISION picks two random permutations, and runs A on the oracle function 
composed with these permutations. It accepts if any one of the two executions of A accepts. We now show that the 
error of our algorithm is now upper bounded by 1/4 + 7 < 1/2. 

If the oracle function F has no collision, the error is upper bounded by 27 < I/4+7. If F has a collision, then with 
probability at most (1/2) 2 = 1/4, the colliding pair has no point on either side of k/2 for both the randomly chosen 
permutations. Assume this is not the case, and fix a permutation for which the permuted F has a split collision. Our 
algorithm accepts this permutation of F with probability at least 1 — 7. Therefore the overall error is upper bounded 
by I/4 + 7. 

In reducing a positive instance of UNIQUE COLLISION, with probability close to 1/4, we get inputs for which the 
algorithm for Unique Split Collision need not output a definite answer with probability bounded away from 1/2. 
(These are inputs where the colliding pair of indices are both at most k/2 or both greater than k/2.) Our argument is 
valid in spite of this, since the acceptance probability in the other case is high. □ 

We conclude by proving the same lower bound for GROUP COMMUTATIVITY as well. We thus show that the 
algorithm described in the previous section is almost optimal. 

The group involved in the proof of the lower bound is a subgroup G of U(4k), the group under matrix multiplica- 
tion of 4fc x 4fc unitary matrices. The generators of G are block diagonal, each with 2k blocks of dimension 2x2. 
Each block is one of the following Pauli matrices: 

'-{i :)■ *-(? 0- z =0 a). -:)■ 

No pair of matrices amongst X, Y and Z commute. An encoding of the group G consists in words o\ . . . a^k of 
length 2k over the alphabet {I, X. Y, Z} together with a sign vector s = (si, S2, . . . , S2k) in — 1} 2,C . A tuple 
(s,cri, . . . U2k) represents the matrix diag(si<ri, . . . , s%k^%k)- We call this encoding the explicit encoding. 

Theorem 4. The randomized and the quantum query complexity of GROUP COMMUTATIVITY are respectively Q(k) 
andVL{k 2 ^). 

Proof. We prove the theorem by reducing Unique Split Collision to Group Commutativity. First, we define 
a group that is non-commutative if and only if the oracle input F for Unique Split Collision has a collision. 
Second, we design a unique encoding of the group elements such that each group operation can be simulated with at 
most four queries to F. We then conclude our theorem using PropositionQ] 
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For i, j e {1, 2, . . . , fc}, we define ;, bij € U(2k) of the form described above. Both kinds of matrix have 
the identity matrix in all their blocks except for the i-th and (j + fc)-th. The i-th block is Y in both and bij. 
The (j + fc)-th block is Z in and X in bij. 

Suppose the oracle for the problem Unique Split Collision computes the function F : {1, . . . , k} — > 
{1, . . . , fc}. We associate a generator ^ of the type described above with each element i in the domain of F. The 
generator gt is a^j) if i < k/2, and it is b iF ^) if i > fc/2. 

Observe that all the generators gi are distinct, since the i-th block in it is Y, and the rest of the initial k blocks are 
the identity matrix. This is designed so that we can identify the index i from the explicit encoding of a generator. 

For any two distinct points i\,i 2 , if F(i\) ^ F(i 2 ), then the generators gi 17 gi 2 have distinct blocks F(ii) + k 
and F(i 2 ) + k set to either Z or X. So if the function F is injective, the set of generators {gi} consists of k distinct 
commuting elements. If there is a collision ii, i 2 in F with one point on either side of fc/2, then the same block F(i 1 ) + 
k = F (i 2 ) + fc is set to Z and X respectively. Then the generators g i± and g i2 do not commute, and the group generated 
by {gi} is non-abelian. 

The encoding of the group elements is the explicit encoding defined above except for the generators gi. The 
generators gi are encoded by their corresponding indices i. The input to GROUP COMMUTATI VTTY is 1, 2, . . . , fc. 

Now we explain how to simulate the group operations. When an integer i is involved in a group operation, we 
query the oracle for F at i and construct gi as defined above. One more query to F is required to erase the value of the 
function. Otherwise we do not query F. Matrix operations can be performed without incurring any further calls to F. 

We also have to take care to output the result of a group operation in the correct encoding. Namely, when the 
output of a group operation is either or b^, for some i, j, then we check if it can be encoded by i using one query 
to F, and one more query to erase the value of the function. 

Thus a group operation involves F at most six times, when both of the elements are encoded by integers. Note 
that a product of two group elements of the form or bij can never result in another such generator. We can thus 
improve the number of invocations of the function oracle from six to four per group operation. □ 
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